HTTP to HTTPS iRule not working

This iRule is on the HTTPS VIP? If so, you're likely witnessing a redirect loop - where every request is met with an immediate redirect to itself. The above iRule should only be on the HTTP VIP.

You may want to enable some logging so that you can see what is happening. Add the following line to your irule before the redirect: log local0. "Redirecting [HTTP::host] to https://hostname.com"

This should place an entry in the log file for ltm that will prove that you are hitting the irule. If you can not find that message in your syslog, then you are not hitting the irule.

I could be mistaken, but I don't believe you're trying to pass traffic to a VIP through another VIP. What I understood is that you have two VIPs (80 and 443), and that you want requests to the 80 VIP to get redirected to the 443 VIP. If that's true, then the configuration is pretty straight forward:

1. HTTP VIP which simply has a generic HTTP profile and the iRule (no pool necessary).

    

2. HTTPS VIP which listens on 443 and sends traffic to a pool. If the pool members are not listening on HTTPS, then you need a client SSL profile to offload the client side SSL. If you want to decrypt and re-encrypt, then you need a client and server SSL profile applied to this VIP. If you have any iRules on this VIP that inspect HTTP traffic, then you need an HTTP profile. If you're not certain that the pool members will reliably route back through the LTM, then you should probably also apply a SNAT profile (Automap will do).

    

With this configured, start a tcpdump capture on the client side interface of the LTM and observe the client communicating with the port 80 VIP first, and then the 443 VIP. If that looks good, start a tcpdump capture on the pool member side of the LTM and observe the client's request flowing to a pool member, and the response flowing back through the LTM.

If you can, do those tcpdump captures to verify that traffic is flowing in the directions that you expect it to be.

I'd also recommend a client side layer 7 capture utility like HTTWatch or Fiddler. This will give you a great view of the actual layer 7 HTTP communications, the redirects, and responses.

If you have shell access to the BIG-IP:

Viewing the LTM log:

tail -f /var/log/ltm

Running a tcpdump:

tcpdump -lnni 0.0 host x.x.x.x

where x.x.x.x is the IP address of the VIP. Start with this to observe the port 80 and port 443 communications. If this all looks good, change x.x.x.x to the pool member IP and observe the traffic flowing to/from the server. If that all looks good, fire up Fiddler and observe the HTTP traffic from the browser's perspective.

You want to do a tcpdump on the client side of the VIP. You should be able to filter on the VIP IP and/or your IP in case there is other traffic on the box. What you want to see is:

1. Your client contacting the port 80 VIP (TCP handshake, HTTP GET, HTTP redirect)

    

2. Your client contacting the port 443 VIP (TCP handshake, etc.)

    

If this is what you see, is there a redirect anywhere in this? If it all looks good, try the Fiddler capture.

It doesn't appear that the client is even contacting port 80 VIP

So if I understand you correctly, a tcpdump capture reveals that the client never talks to the HTTP port 80 VIP? Are you testing with a host name or IP address?